syslog user can't write to serial or terminal devices

Bug #1258245 reported by Andy Doan
This bug affects 3 people
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)

Bug Description

We configure a VM via libvirt to have a serial device(/dev/ttyS0) that writes to a file on the host. During the desktop install we have some early preseed logic that adds an /etc/rsyslog.d config file that directs syslog messages to /dev/ttyS0. Under recent images, nothing is showing up in the file on the host end. For a quick sanity check I ran the following command in the VM:

 echo ANDY > /dev/ttyS0

This works when done as root, but won't work when run as the syslog user. Digging a little more I see rsyslogd runs as syslog (which is in the syslog and adm groups) and ttyS0 is writeable to root and dialout.

This is based on today's image with includes rsyslog 7.4.4-1ubuntu2

Tags: trusty
tags: added: trusty
Revision history for this message
Martin Pitt (pitti) wrote :

This is by and large by design, as rsyslog now runs with reduced privileges. If you want rsyslog to access serial terminals, you can do

   sudo adduser syslog dialout

Revision history for this message
Andy Doan (doanac) wrote :

We are doing this for an unattended install. I suppose the way to handle it would be to update our initrd with something in /etc/rc.local to do this?

Revision history for this message
Paul Larson (pwlars) wrote :

We could probably do it in an early_command, I'm trying that right now. But I think it would be reasonable to add syslog to the dialout group. Is there a security concern with that, given that there's a pretty valid use case for it?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rsyslog (Ubuntu):
status: New → Confirmed
Changed in rsyslog (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Daniel Richard G. (skunk) wrote :

Generalized the title to include terminal devices (e.g. Linux virtual terminals) as well.

I'd like to see a better way to set this up. Yes, you can add the syslog user to the dialout and/or tty groups, but that grants access to *all* serial/terminal devices respectively. This can have security consequences if the syslog user is compromised, given that serial devices can include modems, and terminal devices would encompass tty-mode user login sessions.

The current situation is particularly awkward because /etc/rsyslog.d/50-default.conf contains a commented-out rule that directs logging to tty8. No mention is made of any permission issues. I wanted to do basically that, and was puzzled for a few minutes as to why nothing was appearing on the configured virtual terminal.

summary: - syslog user can't write to /dev/ttyS0
+ syslog user can't write to serial or terminal devices
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers